Kaspersky Labs has revealed details of Careto/The Mask, a complex advanced persistent threat (APT) that has been running since 2007. The Mask is highly complex and uses a sophisticated set of tools including malware, rootkits and bootkits to infect Windows, OS X and Linux machines.

Kaspersky first noticed The Mask when it observed attempts by the malware used to hide itself from Kaspersky Lab products by attempting to exploit vulnerabilities in those programs. Those vulnerabilities where fixed five years ago and Kaspersky has been researching this operation since then. Kaspersky rate The Mask higher than Duqu in terms of its sophistication and it is possible that the operation was state sponsored.

The main targets of The Mask fall into the following categories:

Government institutions

Diplomatic offices and embassies

Energy, oil and gas companies

Research institutions

Private equity firms

Activists

In the top five infected countries were the United Kingdom, Spain and France with Morocco being the most target country with over 380 IP addresses found in Mask related traffic.

Once a machine is infected, Mask intercepts all the communication channels and start stealing data including encryption keys, VPN configurations, SSH keys and RDP files. It is also possible that it steals data related to custom military/government-level encryption tools.

“Detection is extremely difficult because of its stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high,” wrote members of the Global Research & Analysis Team (GReAT) at Kaspersky Lab.

Among the exploits used by The Mask is an Adobe Flash Player vulnerability which was discovered by VUPEN and used to win the CanSecWest Pwn2Own contest in 2012. The exploit, which included a tactic for escaping Google Chrome’s sandbox, was sold to VUPEN’s customers and not disclosed publically. It is possible that the group behind The Mask purchased the exploit from VUPEN.

At the moment the command and control servers used by The Mask are offline. The attackers began taking them offline in January 2014 but it is possible that the attackers could resurrect the campaign at some point in the future. The high degree of professionalism on the part of those running The Mask, including the way it was shutdown and the use of wipe instead of delete for log files, is another reason to believe that the operating was state sponsored.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!

Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.

Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.

“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.

According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.

Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.

According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.